In this course we look at some roles and responsibilities related to the risk management framework. Over the next few screens will discuss these roles listed which are involved in the risk management framework process. You should understand that everyone has a part in the assessment process. Let's start with the authorizing official. This is a senior official or executive with the authority to formally assume responsibilities and accountability for operating a system providing common controls inherited by organizational systems. Or using a system service or application from an external provider. They approved plans, memorandum of agreement or understanding plans of action and milestones. And determine whether significant changes in the information system or environment of operation require reauthorization. The authorizing official is the only organizational official who can accept this security and privacy risks to organizational operations, organizational assets and individuals. They coordinate their activities with any interested parties during their authorization process. For example, common control provider system owner, chief information officer, senior agency officials for privacy. The control assessors or the senior accountable officials for risk management or risk executive functions and others. The authorizing official may designate a representative. However, the authorizing official is still overall responsible for any actions executed by the authorizing official designated representative. The authorizing official designated representative is an organizational official designated by the authorizing official who is empowered to act on behalf of the authorizing official. To coordinate and conduct the day to day activities associated with managing risks to information systems and organizations. This includes carrying out many of the activities related to the execution of the risk management framework. The only activity that cannot be delegated by the authorizing official to the designated representative is the authorization decision and signing of the associated authorization decision documents. For example, the acceptance of risk or the acceptance to operate documents. They are still the responsibility of the authorizing official and cannot be delegated down. The chief information officer is an organizational official responsible for designating a senior agency information security officer. Developing and maintaining security policies, procedures and control techniques to address security requirements, overseeing personnel with significant responsibilities for security. And ensuring that the personnel are adequately trained, assisting senior organizational officials concerning their security responsibilities. And reporting to the head of the agency on the effectiveness of the organization's security program, including progress of remedial actions. The CIO and the authorizing officials determine the allocation of resources dedicated to the protection of systems. Supporting the organization's mission and business functions based on organizational priorities. For selected systems, the CIO may be designated as the authorizing official or a coal authorizing official with the senior organizational officials. The senior information security officer, also known as the chief information security officer is primarily responsible for duties related to information security. They carry out the chief information security officer responsibilities under the Federal Information Security Management Act such as reporting and security operations. They also possess professional qualifications and head the security office. The information system owner is an organizational official responsible for procurement development, integration, modification, operation, maintenance and disposal of a system. The information system owner is responsible for addressing the operational interests of the user community and for ensuring compliance with security requirements. In coordination with the system security and privacy officers, the information system owner is responsible for the development and maintenance of the security and privacy plans. And ensures that the system is operated in accordance with the selected and implemented controls in coordination with the information owner and steward. The information system owner decides who has access to the system and with what type of privilege or access rights. Next we have the program manager. The program manager is responsible for the overall procurement of the system. The program manager does not normally operate or maintain the system however they could be assigned as the information system owner. The common control provider is responsible for the development implementation, assessment and monitoring of common controls, including the security controls inherited by information systems. They're responsible for documenting the organization identified common controls in the system security plan. Ensuring that the required assessments of common controls are carried out by independent assessors or 3PAOs. Third party assessing organizations ensuring that common controls within and across systems are properly documented. Documenting assessment's findings in a security assessment report SAR. And that the documentation and communications are continuous as well as a pending a plan of action and milestone for any controls having weaknesses or deficiencies. Security and privacy plans. Security and privacy assessment reports and plan of action and milestones for common controls are made available to the system owners of the system. Inheriting common controls after the information is reviewed and approved by the authorizing official accountable for those common controls. The information owner or steward is an organizational official with statutory management or operational authority for specified information. And responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination and disposal. In information sharing environments, the information owner or steward is responsible for establishing the rules for appropriate use and protection of the information. And retain that responsibility even when the information is shared with or provided to other organizations. The owner or steward of the information processed, stored or transmitted by a system may or may not be the same individual as the system owner. An individual system may contain information from multiple information owners or steward's. The information owner or steward provide input to the system owners regarding the security and privacy requirements and controls for the systems where the information is processed, stored or transmitted. The information systems security manager provides daily oversight of the operations of the information system. They're responsible for ensuring that the configuration and change control processes are followed, as well as keeping the information systems security officer informed about all system decision. The information systems security officer is the primary advisor to the system owner on security manners. They manage the security aspects of the information system and assist the system owner in developing and enforcing the security policies for the information system. As well as managing and controlling the changes to the information system and assessing the security impacts of those changes. The information security architect is an individual group or organization responsible for ensuring that the information security requirements necessary to protect the organization's core missions and business processes are adequately addressed. Enterprise architects implement an enterprise architecture strategy that facilitates effective security and privacy solutions. They coordinate with the security and privacy architects to determine the optimal placement of systems or system elements within the enterprise architecture. And to address security and privacy issues between systems and the enterprise architecture as well as assist in reducing complexity within the IT infrastructure to facilitate security. They assist with determining the appropriate control, implementation and internal configuration baselines as they relate to the enterprise architecture. By collaborating with system owners and authorizing officials to facilitate authorization boundaries, determinations and allocation of controls to system elements. They also serve as part of the risk executive function and assist with the integration of the organizational risk management strategy. And system level security and privacy requirements into program planning and budgeting activities. The system development lifecycle acquisition processes, security and privacy including supply chain risk management and system engineering processes are all part of the integration that the system architects take part in. The information systems security engineer is generally responsible for those activities associated with protecting information and information systems from unauthorized system activity or behavior to provide confidentiality integrity and availability. The information systems security engineer is responsible for conducting system security engineering activities as part of the system development life cycle. It's a process that captures and refines the security and privacy requirements for systems. And ensures that the requirements are effectively integrated into systems and system elements through security or privacy architecting design development and configuration. System security engineers coordinate security and privacy activities with senior agency information security officers. Senior agency officials for privacy security and privacy architects. System owners, common control providers as well as system security or privacy officers. The security control assessor, also known as the third party assessment organization, or 3PAO provides an independent assessment of security controls. Ensuring they are implemented correctly operating as intended and producing the desired outcome. The 3PAO provides recommended corrective actions as part of the security assessment report SAR. They are also known as a certifying age. The user representative, also known as a system user is an individual or system process acting on behalf of an individual that is authorized to access information and information systems to perform the assigned duties. System users responsibilities include, but are not limited to adhering to organizational policies that govern acceptable use of organizational systems. Using the organization provided information technology resources for defined purposes only. And reporting anomalous or suspicious system behaviors to the respective officials. In summary, in this course we discussed the following roles and responsibilities. Authorizing official, authorizing designated representative, chief information officer, senior agency information security officer, information system owner, the information systems security officer. Program managers, security architects, security engineer, security control assessor, also known as the 3PAO, and user representatives.
